Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (eMicrosoft Community Contributo)
  • When: 18 Jul 2011 3:43 AM
  • Last revision by (eMicrosoft Community Contributo)
  • When: 16 Jul 2013 10:24 PM
  • Revisions: 30
  • Comments: 5
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  DNS Read-Only Console on 2003-Multi Domain Environment

DNS Read-Only Console on 2003-Multi Domain Environment

DNS Read-Only Console on 2003-Multi Domain Environment

Table of Contents

1. For read-only permission you have give the below three permissions.


1. Read all properties.
2. List Contents
3. Read Permission.

Deny all

Please note you have to modify the ACL on server label and DNS Zone label as well.
If you have multi domain environment(Parent-Child) you have to modify the server label permission on each domain but for DNS Zones you have to modify the ACL once.

You should modify the each zone's ACL(Forward lookup and reverse lookup as well).
The best parctice is create a security group and assign the read only permission.
Add the members into that group.



2. Follow the AGUDLP guideline for providing the permission

.

Add users to a global group, add the global group to a Universal, add the Universal to a Domain Local Group, add the Domain Local Group to the resource, then provide permissions for the Domain Local Group to access the resource.

This can be expanded to AGGUUDLDLP

Changing group scope

When you create a new group, by default the new group is configured as a security group with global scope, regardless of the current domain functional level. Although changing a group scope is not allowed in domains with a domain functional level of Windows 2000 mixed, the following conversions are allowed in domains with the domain functional level of Windows 2000 native or Windows Server 2003:

  • Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.

  • Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.

  • Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.

  • Universal to domain local. There are no restrictions for this operation.

3. On 2008 you can go ahead with RODC for DNS Read-Only Console.

, , , , , [Edit tags]
Leave a Comment
  • Please add 2 and 7 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 7 Jan 2013 10:08 AM

    Richard Mueller edited Revision 26. Comment: Format headings

  • 7 Jan 2013 10:02 AM

    Richard Mueller edited Revision 25. Comment: Fixed zero in <a name> tag in heading in HTML so TOC works properly

  • 7 Jan 2013 9:41 AM

    Richard Mueller edited Revision 24. Comment: Removed (en-US) from title

Page 1 of 1 (3 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 19 Nov 2012 4:34 AM

    Old operating system but good arcticle

  • Posted by
    on 19 Nov 2012 7:54 PM

    You can do the same on 2008 if you dont have the RODC

  • Posted by
    on 7 Jan 2013 9:41 AM

    Richard Mueller edited Revision 24. Comment: Removed (en-US) from title

  • Posted by
    on 7 Jan 2013 10:02 AM

    Richard Mueller edited Revision 25. Comment: Fixed zero in <a name> tag in heading in HTML so TOC works properly

  • Posted by
    on 7 Jan 2013 10:08 AM

    Richard Mueller edited Revision 26. Comment: Format headings

Page 1 of 1 (5 items)